At the RSA Conference at Moscone last week, Uri Rivner of RSA presented “ZeusiLeaks” as a sensitive data dissemination network more hazardous — and harder to stop — than WikiLeaks.
Named after the Zeus Trojan, a keystroke logger, ZeusiLeaks and its botnet “leaks” sensitive information silently in the background to a network of “Zeus operators,” or underground data brokers. Beyond bank passwords and one-time hit’s, the accumulation of “casual data,” such as from fleeting messages exchanged via social networking websites, add up to some very coherent information. Automated analysis of words sent via these trivial online messages can significantly undermine an organization’s data secrecy.
The Zeus Trojan is spread primarily through drive-by-downloads, pop-up’s and other seeming harmless download conveyers. Running on the Windows platform, Zeus has infected over 3.5 million computers, and in 2009 alone, over 75,000 PC’s in 2,500 organizations were infected. By using a backdoor port, certain variants of Zeus can also steal files — with transfer masked by the unsuspected port. Recent reports indicate Zeus variants have also spread to smartphones and mobile devices.
Rivner demonstrated how public resume data on Linkedin, describing the role of an executive assistant to a corporation, was used to by a Zeus botnet to determine which key individuals to target for covert information. Another unlikely case of data leakage exemplified occurred on a dating network website, where federal secrets were exposed “casually” over sitewide instant messaging.
While such cybercrime rings were once run by elite hackers, Zeus is sold on the black market, so that anyone can run a Zeus network with a garage startup budget. Some degree of prudence, discipline and strategy are required, but the proliferation of such easy access to Zeus may account for how officials can more easily track down such crime operations.
An apt slogan for this APT arises from Sun Microsystem’s old “network is the computer,” via providing the hardware and software to create the network. For ZeusiLeaks, with its self-propagating covert software that transmits data from unsuspecting end users, the adage goes like this: “The network is the employee with an Internet-enabled device.”
Whereas WikiLeaks depends on defecting individuals consciously “leaking” sensitive data, ZeusiLeaks works without the traitor’s consent or awareness. Moreover, running autonomously on algorithm trained to find meaning in data fragments, ZeusiLeaks does not require a human editor to filter the material. Ultimately, ZeusiLeaks is WikiLeaks on automated stealth mode.